Privileged access management
Curity Identity Server
Create a key pair and certificate on the Vectera Plus
5 min
perform the following tasks to test openssl engine set fxpkcs11 environment variables explore some openssl engine examples set environment variables i n a terminal, run the following sequence of commands to set the required fxpkcs11 environment variables export fxpkcs11 module=/path/to/libfxpkcs11 so; export fxpkcs11 cfg=/path/to/fxpkcs11 cfg; create a key pair perform the following steps to create a key pair on the {{vectera}} by using pkcs11 tool in a terminal, run the following command to use pkcs11 tool to create a new key pair on the {{vectera}} pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "demo 1" id "123456" usage sign usage decrypt enter the password of the identity configured in the fxpkcs11 cfg file when prompted for the user pin if the command succeeds, the keys display in the output, as shown in the following example key pair generated private key object; rsa label demo 1 id 123456 usage decrypt, sign, unwrap access sensitive, local public key object; rsa 2048 bits label demo 1 id 123456 usage encrypt, verify, wrap access local the command creates the following keys, which the next section uses in the test openssl commands a private rsa 2048 key with asymmetric sign and verify usage a public rsa 2048 key with verify usage generate a certificate perform the following steps to generate a certificate from the key pair in a terminal, run the following command to use openssl to generate a certificate from the key pair on the {{vectera}} openssl req new x509 engine pkcs11 keyform engine key "pkcs11\ object=m" out demo cert pem days 365 enter the password of the identity configured in the fxpkcs11 cfg file when prompted for the user pin push the certificate perform the following steps to push the certificate to the {{vectera}} with pkcs11 tool in a terminal, run the following command to use pkcs11 tool to push the certificate to the {{vectera}} pkcs11 tool module /usr/local/bin/fxpkcs11/libfxpkcs11 so l write object demo cert pem type cert label "demo 1" enter the password of the identity configured in the fxpkcs11 cfg file when prompted for the user pin if the command succeeds, the certificate displays in the output, as shown in the following example created certificate certificate object; type = x 509 cert label demo 1 subject dn c=us, st=texas, l=bulverde, o=futurex, ou=integration engineering, cn=demo 1 id c06b